Update sepolicy/pawlet_device.te

sepolicy/pawlet_device.te

@@ -5,17 +5,14 @@ type pawlet_device_exec, exec_type, file_type, system_file_type;
 # Inherit from core domain
 typeattribute pawlet_device coredomain;
 
-# Property access - use proper macros ONLY
+# Property access - use proper macros ONLY (no direct allow rules)
 get_prop(pawlet_device, vendor_default_prop)
 set_prop(pawlet_device, vendor_default_prop)
 
-# Framework interactions - use proper macros
-# REMOVE direct service_manager access
-# allow pawlet_device system_server:service_manager find;
-
-# REMOVE all direct file access to properties
-# allow pawlet_device vendor_default_prop:file { getattr open read map };
-
-# If you need to interact with system services, use proper domains:
+# Binder communication if needed
 allow pawlet_device system_server:binder { call transfer };
-allow pawlet_device servicemanager:binder { call transfer };
+allow pawlet_device servicemanager:binder { call transfer };
+
+# Basic file access for your domain (only for your own files)
+allow pawlet_device pawlet_device_exec:file { execute read open map };
+allow pawlet_device system_file:file { read getattr open };